Thursday, January 10, 2013

The dangers of USB drives

What makes USB drives so great at carrying malware?

Stuxnet, which was discovered in June and has since spread to millions of machines around the world, is the most sophisticated computer attack we've ever seen.

Though its true purpose is unknown—teams of experts across the globe are poring through the code in an effort to divine its intentions—the deviousness of its design has prompted many researchers to call it a "cyber-weapon," one perhaps created by the United States or Israel to disrupt Iran's nuclear program.
What's most interesting about Stuxnet isn't how smart its authors were; it's how dumb they guessed we all would be. 
How did the worm's creators expect to get it inside some of the most secure installations in the world?
After all, sensitive machines often operate behind an "air gap"—that is, their networks are physically separated from the Internet and other dangerous networks where viruses can roam freely.

Getting anything inside one of these zones requires the complicity of an employee. That's exactly what Stuxnet got, because its authors designed the worm to piggyback on the perfect delivery system—the ubiquitous, innocent-looking USB flash drive, the planet's most efficient vector of viruses, worms, and other malware.

What makes USB drives so great at carrying malware?

They're the mosquitoes of the digital world—small, portable, and everywhere, so common as to be nearly invisible

Funny story: At a conference in Australia last year, IBM handed out thumb drives that turned out to be infected by malware. It was a computer-security conference.

We know we shouldn't click on e-mail attachments from strangers, and we know we should be wary of typing our passwords into shady sites online. But the USB disk has somehow evaded our suspicion; few of us look at them and recoil at the dangers that could be lying within.

Indeed, USB sticks evoke exactly the opposite emotion—if you saw a stray one on the street or lying around your office, wouldn't you pick it up and put it in your computer to try to identify the rightful owner? If a company wants to ratchet up security, it's not as simple as banning all thumb drives.

To be extra careful, you'd have to ban iPods, cameras, and every other USB-based doohickey—all of those devices are capable of carrying Stuxnet-like viruses, too.

The only hope is education: Don't trade USB sticks, don't stick an unknown one into your machine, and don't pick one up off the street and plug it in your machine just to see what's inside.

But I don't know if we're ever going to win that battle. It's human nature. If I were a normal person and I didn't work in this bubble of security? If I found a USB drive, the first thing I would want to do is want to plug it in, too.

No comments: